| Message ID | 20101004122836.GB5692@bicker |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
From: Dan Carpenter <error27@gmail.com> Date: Mon, 4 Oct 2010 14:28:36 +0200 > skb_headroom() is unsigned so "skb_headroom(skb) + toff" is also > unsigned and can't be less than zero. This test was added in 66d50d25: > "u32: negative offset fix" It was supposed to fix a regression. > > Signed-off-by: Dan Carpenter <error27@gmail.com> > --- > Compile tested only. Please check. This looks correct to me, thanks for fixing this. Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c index 7416a5c..b0c2a82 100644 --- a/net/sched/cls_u32.c +++ b/net/sched/cls_u32.c @@ -137,7 +137,7 @@ next_knode: int toff = off + key->off + (off2 & key->offmask); __be32 *data, _data; - if (skb_headroom(skb) + toff < 0) + if (skb_headroom(skb) + toff > INT_MAX) goto out; data = skb_header_pointer(skb, toff, 4, &_data);
skb_headroom() is unsigned so "skb_headroom(skb) + toff" is also unsigned and can't be less than zero. This test was added in 66d50d25: "u32: negative offset fix" It was supposed to fix a regression. Signed-off-by: Dan Carpenter <error27@gmail.com> --- Compile tested only. Please check. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html